This is extremely common. A lot of newer firewalls have it built in and it is basically just a checkbox and configuring a CA. Palo Alto prevents issues with banking by allowing a company to perform SSL decryption on all traffic, but exclude decryption on certain categories of sites. Therefore, you can perform decryption, but not decrypt banking sites. And, btw, even those "HTTPS" VPNs will often use IPSEC after the initial authentication. SSL is usually a fallback.